Passwords Make The World Go Round

The internet (and all computers, actually) are secured by usernames (also called account names) and passwords. In virtually all instances, the only thing protecting your valuable data (and your money and private information) is the username and password combination.

If this is true (and it is true), then why do you suppose so many people protect their vital data, money, and privacy with such lame passwords? Even system administrators (who should know better) protect their superuser accounts (these accounts have very high privileges) with the extraordinarily difficult password of GOD (sarcasm intended).

I remember a time many years ago when a client of mine (I was a consultant in those days) called and bragged that his system was perfectly secure. He had hired the best programmers and the best system administrators so he knew it was all in perfect order. While he was on the phone talking, I was typing. Within two minutes, I had access to one of the superuser accounts on his VAX system. Before he hung up, I said, "By the way, you are logged in as FRED, your job name is FRED345 and you are currently displaying a menu." He was shocked. No hacking involved on my part at all - his highly paid help had simply forgot to change his system passwords from the factory default (a very, very common error).

On another occasion, I helped with a security audit of a large company. I subcontracted with a security expert (I am well versed in system security, but that is not my primary expertise) who performed the actual analysis. Overall the company received very high marks - except they had a very weak set of password policies. 

The first task of my expert was to run a program called L0phtCrack against their password file. This program (freely available to hackers and anyone else who is interested) decodes passwords. It is very fast and very good - and it ripped through my client's password file in under ten minutes, retrieving over 80% of the passwords on the network. It did not crack the admin password, but several superuser passwords were found.

Another task we performed is simply walking around the client's office to see what we could find. Of course, we found the usual problems right away. One person had a simple password of "xxxxxx" (very bad), another had all of her passwords written on post it notes attached just below her monitor in plain view of everyone! Other users were sharing the same accounts, and some were sending their passwords to each other via email.

Needless to say, all of this behavior is undesirable and everything is relatively easy to fix. At this company, we decided to provide training for the users on the importance of good password policies. Virtually all of the users corrected their password problems after those simple one hour classes.

Okay, so take a look at your own usernames and passwords.  If a hacker is trying to break into your account, the first thing that he or she must discover is your username. So spend a minute and make your username just a little more obscure.

You see, most people make their usernames something like their first name, their full name, their last name or some other similar thing. It's a good idea to be a little more obscure than this - perhaps throwing some numbers into the mix ("judy381thomas" might be used instead of just "judythomas") or some other characters (if they are allowed). By doing this, you've made it more difficult for anyone to guess your username at all - which, in turn, protects your password.

Passwords need to be very obscure. Something like "sally" is not a good password. Instead, try for "bhw198!@jds" (assuming all characters are valid) or "thana23347japf" if only letters and numbers are allowed. Always mix letters and numbers, and make sure the password is at least eight characters long.

Follow these simple steps and you will find that your accounts will remain safe and secure.